Cisco Secure Firewall Reviews

To safeguard our clients' system data and related aspects, we rely on Next-Generation Firewalls as a system integrator. In particular, we use Cisco Secure Firewall for enhanced security measures.

We have provided our services to the National Information Center in Riyadh, which is a government database. They installed Cisco Secure Firewall systems and have given us positive feedback, which is why most of the areas prefer to use Cisco. To date, we have not received any negative feedback from our clients regarding any issues, such as hacking. Everything has been secure, and I hope it stays that way in the future.

Our company operates in Saudi Arabia, primarily working with government sectors. If any hardware malfunctions, the defective device is removed, and we receive a replacement from the reseller. We have not encountered any issues related to delays in receiving replacements for malfunctioning devices which has been beneficial.

In today's world, cyberattacks have become a common occurrence. However, so far, we have not faced any issues with our systems. I hope the situation remains the same in the future. If Cisco introduces even more advanced security measures, it would be beneficial.

One of the major issues we face in the Middle East is the long delivery time for Cisco products. Currently, they are taking almost 10 months to deliver, which is much longer compared to before when we received the products within 70 to 80 days or even two to three months. For instance, we recently placed an order that has a delivery date in the middle of 2024. This delay is unacceptable as customers cannot wait that long, and they may opt for other alternatives, such as Huawei, Juniper, or HPE. Therefore, Cisco needs to improve its delivery time and ensure that they deliver products within a reasonable timeframe, as it did before.

I have been working with Cisco Secure Firewall for more than 10 years.

We have not encountered any stability issues. The only issue we faced was with another company that did not have proper cooling systems in their data center.

The scalability of the Cisco Secure Firewall is excellent.

A few years ago, we faced an issue with some of our devices in Saudi Arabia, and we reached out to Cisco for assistance. They responded promptly and repaired our devices within the given time frame. While the delivery time for their solutions in the Middle East may be longer, Cisco still delivers their solutions on time, whether it's for repair or new orders. Even if the delivery time is up to a year, Cisco ensures that our products are provided on time.

I rate the support from Cisco Secure Firewall a ten out of ten.

Positive

As a system integrator, our primary focus is not on selling products, but rather on providing comprehensive solutions to our customers, starting from scratch and ensuring everything runs smoothly. In this regard, we rely heavily on Cisco devices, including switches, routers, code devices, NK, Nexus, 7000, and 9000. We also use other Cisco products, such as IP phones and access points. In Saudi Arabia, Cisco is the most popular brand in the market, but its popularity is declining due to prolonged delivery times. Customers cannot afford to wait a year, and this is the primary reason for the decline in demand.

The prices of Cisco Secure Firewall are competitive, especially for us as Cisco partners. We purchase the products directly from Cisco as a gold partner, which allows us to obtain better pricing than we would get from normal distributors or the local market.

Our current company, SNC ICT, is already a Cisco Gold Partner. We are actively involved in investing, purchasing, and selling Cisco products to our customers, as well as performing installations, configurations, and providing other related services.

In the Middle East, most people with a budget opt for Cisco. However, I do not have any information about the preferences in Europe, South Asia, or Asia.

We use Cisco IronPort, Firepower, Secure Firewall, Email, and Secure Connect.

As with most products, integration could be better where needed. Sometimes, for example, the Cisco Secure Firewall and IronPort are in a class of their own. When it comes to management and logging, there's room for improvement.

Most of the products aren't configured on their own, but they are related together. There should be some sort of management. We would need a supervisor to manage it before using all of the solutions together.

They address services that belong together. For example, the Secure Client provides remote access. Authentication and multiple-factor authentication are two different products that belong together. There should be a link between both products and between both management interfaces to see, for example, troubleshooting or reporting so that you have both sources together.

It would be great to have all the data correlated to have an overview and one point of administration. 

The grouping of the solutions helps save time. If you have a problem and you have a high-level overview of the system, you can easily dig deeper into the problem. For example, I can check to see why ASA isn't working but the reason for the outage is actually because of Duo. I can spend a lot of time working in the wrong direction because I didn't have an overview.

IronPort stuff looks at first a little bit outdated. It's not a fancy-colored view, but it does its job and is extremely helpful. Debugging on this platform is very easy. 

Firepower's implementation and reliability need room for improvement. 

We address our problems with the relevant people. Some of the quality of their support has dropped. If your problem gets escalated, there are many skilled people who are absolute pleasures to work with. They are brilliant at what they do. 

If you talk to someone who solves the problem within five minutes you can't do any better. But on the other hand, the other end of the range needs improvement.

You can have a case that lasts 15 months in which you have to talk to 20 people to resolve. 

Neutral

The complexity of the installation depends. It's not so easy to install. Each topic needs one management interface. So you end up with 20 to 40 different management platforms. All of them use a tremendous amount of resources. If you're willing to install it, you need a huge pile of hardware. It is not clear what everything does. Some consolidation there would be helpful. Other vendors face the same problem.

We have seen ROI from using Cisco.

I chose Cisco because I've been working with them for 23 years. I choose it for its stability and because they have the right range of products. Most of our IT staff is happy with it.

I would rate it a nine out of ten. 

We are mainly using it as a VPN gateway and edge firewall.

It helped us with the transition to working from home and hybrid working. Because of its VPN capabilities, it enabled us to keep working while everyone had to stay home because of COVID.

It integrates well with other systems within our environment. 

I like its integration with the AnyConnect client. I also like how modular it is. For example, I can easily integrate the Umbrella add-on into it. We are planning on adding Umbrella. We haven't added it yet, but we have researched it.

One big pain point I have is the ASDM interface because it's Java, and sometimes, it's a bit buggy and has low performance. That's something that probably won't be improved because of backward compatibility. 

The CLI is not always clear. It's not always intuitive.

Some of the things, such as site-to-site VPN, are complicated to set up. The settings you have are all hidden away in crypto maps, and you can't have a setting per tunnel. When you want to change one particular tunnel, you automatically change them all. That's a drawback.

We've been using the Cisco ASA firewall for about two years.

It's reliable.

I haven't had much contact with their tech support. We have a partner called Fundamentals for support. They're good. I'd recommend them.

We have a Palo Alto core firewall, and we handle threat detection and intrusion prevention on that device. We don't use Cisco ASA for detecting or remediating threats.

Compared to other systems that I have used in the past, Cisco ASA is reliable, and it's not a very big hassle to set up. It's very good, and it just does its job. 

It's not a very big hassle to set up. It's a bit complex when you go into different topics that aren't the basic capabilities, such as when you go above VPN and basic ACL configuration, but all in all, it does the job.

I'd rate it a seven out of ten because of the ASDM, non-intuitive CLI, and complication of setting some of the things.

We use them for firewall purposes. We use the small ones with the partners for the services they need, such as VPN and security.

Their performance is most valuable.

The stability could be better because we have a lot of issues with the stability of Cisco Firepower.

I've been using Cisco firewalls for 20 years.

We have a lot of issues with the stability of Cisco Firepower.

It depends on the model. We are hitting some issues with scalability. It's getting very expensive to scale out.

They sometimes take too long and don't fix the issue quickly, but eventually, it is fixed. I'd rate their support a nine out of ten.

Positive

We have been using different Cisco firewalls for a long time. We are currently using Cisco Firepower and Cisco ASA. Cisco Firepower is better than Cisco ASA, but stability is an issue.

It's now easier than before. You can have virtual appliances.

We mostly have it on-prem, but some customers want on-prem virtual.

We considered using a different solution such as Check Point or Huawei. We chose to stay with Cisco because we're experienced with Cisco and because of the support.

The old versions or models saved us time, but the newer ones take our time. Overall, I'd rate Cisco Secure Firewall an eight out of ten.

We use them in our data centers and on the client side. We have a small installation of Firepower in our main data center, and we are also using Cisco ASA firewalls. So, we have the old ASA platform and new Firepowers. 

It saves time because it's easy to operate and it's easy to add new zones or firewall rules. It's also easy to troubleshoot. It's a neat platform.

When I was managing these firewalls, I found them easy to understand, easy to deploy, and easy to maintain as compared to some of the other firewalls I have been involved with earlier. The opinion of my coworkers is that it's easy and quick to establish new zones, expand, and maintain.

I'm not very familiar with the largest Firepower models, but competitors like Palo Alto seem to have a more capable engine to do, for instance, TLS/SSL decryption. As I understand, Firepower doesn't let you export the decrypted traffic so that, for instance, the security department can look at the traffic or inspect traffic. It's all in the box. I've heard rumors that this is something Cisco is working on, but it isn't yet available.

We have been using Cisco firewalls for about 10 years. 

Its stability is good. We have a failover standby solution that works fairly well. It can have some improvements, but we are happy with it.

We had an issue where we had to install another cluster for the firewall because we went out of the capabilities on one of them. You need to analyze in advance how much your usage will grow in the future and you have to decide based on that. It's about adding more firewalls. We can scale in this way, and it's good.

Whenever I've used their tech support, they have been successful. They quickly pinpointed the problem and provided swift remediation for all the problems. My experience has been good. I'd rate them a nine out of ten.

Positive

We decided to go for Firepower because we needed to expand, and we have a large installation of Cisco devices in our environment. It's 70% Cisco. We have one location where they are using Extreme equipment, but in that location also, we have Cisco firewalls. Having one vendor leads to ease of management. It's also easy in terms of competence. We have good knowledge of Cisco, so it's easy to maintain and operate a Cisco platform.

For network security, we have a central hub for all the external traffic. That is a huge load of traffic. On those applications, we are using Palo Alto. We have a mixed combination of Cisco and Palo Alto in our central locations.

Using Cisco firewalls has helped to eliminate or consolidate some of the tools and applications. We have some installations of AlgoSec to see what's going on or how the performance is, but we have, more or less, decided that we don't need them now because there is so much information that we can pull from CSM or FMC.

It's easy to deploy and maintain.

We have a partner for Cisco products. We have a contract with a new partner now for the SDA fabric on ACI.

I'd rate Cisco Secure Firewall a nine out of ten. 

We use Cisco Secure Firewall in our own company for site-to-site VPN to access our customers and provide remote support.

We sell the solution to our customers as well. They use the ASA or FMC for dedicated networking, for example, the process network. That is, they dedicate the process network or ASA to the user network.

As a Cisco Secure reseller, I add value with my professional background, for example, in Cisco TAC, to my customers. We choose to sell Cisco Secure Firewall because of our partner status with Cisco.

The most valuable feature for the customers is that they can control what communication is allowed and what is not allowed. That is, they can allow or deny client traffic.

It also secures the internal network to allow specific client traffic or machine traffic.

Cisco Secure Firewall helped reduce our clients' meantime to repair by 40%. This is because they can easily segment the network. It's easy to troubleshoot because of micro-segmentation.

Cisco Secure Firewall should be easier to handle. It uses ASDM, which is not easy to understand. It would be better if there was direct access via HTTPS.

I have used this solution for around five years, but my company has been using it for 30 years.

Cisco's technical support for security is good. The support staff are professional and know what to do. I would give them an eight out of ten.

Positive

The deployment of the firewall is more difficult if you want to use all of the features. However, if you're using it only as a VPN, then it's a little bit easier to deploy.

Compared to Cisco Secure Firewall, other firewall solutions are easier to handle because they do not use ASDM. They have direct access via web browsers.

If you're considering Cisco Secure Firewall, take a look at what you want to use the firewall for and what kind of handling you prefer. If you prefer easy handling via browsers, then you may need to use another solution because ASDM is no longer the state of the art.

Overall, I would rate Cisco Secure Firewall at seven on a scale from one to ten.

The I add as a reseller is the professional background.

With [my company], NIL, it's cross-domain. It's just not ASA, but in particular we work with customers where we talk about the physical boxes or even the virtual appliances that we're deploying. The use cases can be multiple, but mostly what we have seen is perimeter security, looking at blocking [and] allowing of traffic before accessing the internet.

The majority of the challenges that we see across customers and partners is looking at the data, the integrity, security, [and] looking at various areas where they need to put in boxes or solutions which could secure their environments. It's not just about the data, but even looking at the endpoints, be it physical or virtual. That, in itself, makes the use case for putting in a box like ASA. 

And, of course, with the integrations nowadays that we have from a firewall, looking at multiple identity solutions or logging solutions you could integrate with, that in itself becomes a use case of expanding the genres of integrated security.

The best features would obviously be the ones that are most used: the perimeter security, allowing/blocking of traffic, NAT-ing, and routing, or making it easy as compared to a router. If you were to do the similar features on a router, it would be way more extensive and difficult as compared to a firewall. These are the majority of the features that anyone would begin with.

But of course, they expanded to other features like IPS or cyber security or looking at vulnerabilities or scanning, port scans. Those are the advanced things.

[In terms of overall performance] in the last decade or so, especially in the last three or four years, the scale of where the architecture has been—all the numbers, the stats, everything—has gone up exponentially. It's all because of the innovations that are always happening, and not just at the hardware level, but particularly at the software level. Of course, we can always look at the data sheets and talk about the numbers, but all I can say, in my experience, is that the numbers have really gone up, and the speed at which the numbers have gone up in the last couple of years or so, is really progressive. That's really good to see.

We're reaching [the point] where we want it to be. If you go 10 years back, we did miss the bus on bringing in the virtual versus the physical appliance, but now that we have had it, the ASAv, for a few years, I think we are doing the right things at the right place. 

The only improvement that we could make is maybe [regarding] the roadmap, to have better visibility as to what we are targeting ahead in the next few quarters. That is where we, as partners, can also leverage our repos with our customers and making them aware that there might be some major changes that we may have to introduce in their networks in the near future.

I started back in the days with ASA when I was [with] Cisco. I was [with] Cisco for 12 years. I started as a TAC engineer, and one of the teams I was leading was the ASA team, firewall, and across VPN, AAA. it became like a cross-border team or cross-architecture, and it's been long enough. I've been working with ASAs for about 12 or more years now.

From the stability standpoint, it's way better. Is there a scope for improvement? Of course. There always is. But I can just speak from my experience. What it was and what it is today, it is way better.

We look at scalability for any product of Cisco. I cannot be confined to the ASAs. We have physical, virtual, and cloud deployments. Everything is possible, so scalability is no issue.

Support, when you look at any product from Cisco, has been top-notch. I was a TAC guy myself for 10 years and I can vouch for it like anyone would do from TAC.

Support has always been extensive. There is great detail in root cause analysis. Going back into my Cisco TAC experience, it's always the story that if you know the product well, you know the things that you need to collect for TAC or for any other junior SME to work with you collectively, to get down to the solutions sooner. Otherwise, they have to let you know what you need to collect. It's better to know the product, get the right knowledge transfer, work towards those goals, and then, collectively, we can work as a great team.

I have mostly been involved in the pre-sales stage, and then eventually the post-sales as well. But we do the groundwork of making sure that we have set the stage for the customer to get the initial onboarding. And at times, I do it with other engineers or other colleagues who take it over from there. In my experience, it has been pretty straightforward.

It's not just the implementation, but [it's] also managing or maintaining [the ASA]. It would depend on how complex a configuration is, a one-box versus cluster versus clusters at different sites. Depending on the amount of configuration complexity and the amount of nodes that you have, you would need to look at staff from there. It's hard to put a number [on it and] just say you need a couple of guys. It could be different for different use cases and environments.

[In terms of maintenance] it's about a journey: the journey from having the right knowledge transfer, knowing how to configure a product, knowing how to deploy it, and then how to manage it. Now, of course, from the manageability standpoint, there are some basic checks that you have to do, like firmware upgrades, or backup restores, or looking at the sizing—how much your customer needs: a single node versus multiple nodes, physical versus virtual, cloud versus on-prem. But once you are done with that, it also depends on how much the engineers or SMEs know about configuring the product, because if they know about configuring the product, that's when they would know if something has been configured incorrectly. That also comes in [regarding] maintenance [of] or troubleshooting the product. Knowledge transfer is the key, and making sure that you're up to date and you have your basic checks done. Then, [the] manageability is like any other product, it's going to be easy.

The return on investment is not going to be restricted to just the box, because nowadays, if you look at the integrated security that Cisco has been heavily investing into, it's not just about ASA doing the firewalling functions. Now, these genres have been expanded to cyber, to third-party integrations, having integrated logging, having integrated micro and macro segmentations. The scope has been widened, so the ROI, eventually, has multiplied.

Being a partner, we work with customers who already have different vendor solutions as well. At times, there are a mix of small SMB sites, which could be, let's say, a grocery. There are smaller stores and there are bigger stores, and at times, they do local DIAs or local internet breakouts. [That's where] you do see some cloud-based or very small firewalls as well, but when you look at the headquarters or bigger enterprises, that is where we would probably position Cisco.

[My advice] would depend [on] if they are comfortable with a particular product, if they've been working with a particular vendor. If it's a Cisco shop, or if they've been working on Cisco, or the customers are quite comfortable with Cisco, I would say this is the way to go. Unless they have a mixed environment. It will still depend on the SME's expertise, how comfortable they are, and then looking at the use cases and which products would nullify or solve them. That is where we should position it.

My lessons are endless with ASA, but my lessons are mostly toward product knowledge. When you look at the deployment side of things, or for me, personally, when I was TAC, to know how things work internally within ASA—like an A to Z story, and there are 100 gaps between and you need to know those gaps—and then, eventually, you will get to the problem and solve it in minutes rather than hours.

We are an insurance company. The core of what we do is service. We manage people and security. We have all the implementation for security. 

We have one ERP running on-prem and another one is running on the GCP cloud. We have a cloud service that runs that ERP on GCP. Our other service is running with Microsoft 365. So, we have an in-house AD that syncs with the cloud AD, but it is the firewall that is managing the communication process in between. The on-prem AD sync with the cloud AD is managed by the firewall. It is like a gateway. 

A vendor implemented this system for us to use and manage the process. We have an integration with the GCP. We've integrated this system with our network in such a way that you cannot access the GCP applications or infrastructure if you are not on-premises. This integration with the GCP and our virtual network online has been done locally.

In general, the management of our infrastructure is now easy. I can manage remotely. I can manage on-prem. I can always log in. I have a couple of users who work remotely via VPN because of the license. Not everybody works remotely in my organization. For people who work remotely, we have licenses for them to log in remotely from where they are and use the service. So, managing people, resources, and devices is easy. It has been a good experience. I don't intend to change it because it's giving me the service I need.

In terms of money, it has saved a lot of money. A lot of other organizations that don't have this kind of easy-to-manage layer of security are going through different kinds of attacks. We have a culture of being careful, even though you cannot be a hundred percent careful. When I hear that people have some security issues, I come and check my devices, and I notice that my firewall has actually blocked a lot of things. It gives me rest and peace. So, it saves a lot when you consider the cost of the organization's operations going down, even for one, two, or three hours. We would lose a lot if that happens. It probably saves us over a million dollars a year. The investment is totally worth it.

Our network is a little bit flat. We have a load balancer before getting into our network. We have configured the load balancer on the device itself. We have two major service providers. We have a core business application, and there are some people who use the core business application. We also have some light users. We have set up criteria to give priority to the people who use the core business application. I have a provider that gives me 300 MB to 500 MB, and I have another provider that gives me 20 MB to 25 MB as a backup. I have set priority based on the usage. If you're using the core business application, it pushes you to the fast network. Otherwise, it sends you to the other network. All that has been done on the firewall. It has been very good for this. I have no complaints.

It enables us to implement dynamic policies for dynamic environments, which is important for us. We can control the network based on different kinds of users. We can quickly and easily define the policies. We can set priorities based on different applications, systems, and users on our network.

Its security and filtering are most valuable. Every layer of data that comes into the organization goes through it. After setting up the criteria, it automatically filters the traffic. We don't have to check it often. Sometimes, when users complain that they are not able to see a particular thing, we log in to check the scan and see what it has scanned and filtered. It is usually something it has filtered out. It works perfectly.

It is easy to use. There is a GUI, and there is a backend that is being managed by our consultant. When we log in to the GUI, we are able to do anything we want to do. Its user interface is good, but it could be better. Currently, you have to know what to do before you can manage a device. If you don't know what to do, you can mess things up. There are some devices that are easier, such as FortiGate. The user interface of FortiGate is more intuitive. It is very easy to log in and configure things. With Cisco, there is also a lower limit on virtual accounts. In FortiGate, they could be in thousands. Cisco is also more expensive. 

I have been using this solution for about three to four years.

It is very stable. I've not had any thought of reconfiguring it. I have just applied my criteria, and I'm good.

Scalability is not a problem because I still have a span of five to seven more years. After that, I might have to go for a bigger device. For now, I have no issues. I can scale up or down. I'm good with that.

Their support is very good. We had an issue where the OS got corrupted. We got Cisco to log in. They did the reset on it, reformatted it, and sent it back to us. Because of the subscription we have with Cisco, we got a copy back in no time. We're now good. We've not been calling their tech support very often. We only call them when we have a very serious issue. I would rate them a nine out of ten.

Positive

It wasn't simple. Its implementation doesn't take much time, but we had to get a consultant in. Implementing a Cisco solution from scratch is harder than implementing FortiGate. With FortiGate, I can do my implementation and put all the criteria easily, but with Cisco, I need to do a lot more research, and I need to get someone to help me, but after implementation, it just works.

We had a consultant from a local vendor here called Incognito. Our experience with him was good. I can refer him to anybody.

When we have issues and we need improvement, he comes in. There was a time we noticed that we had lag on our network. We were trying to figure out the cause for it. We were using two service providers but the same backbone. We called him to make the required modifications.

It is more expensive than the other solutions. 

I'm the CIO here. When I came here, I did an audit of the IT infrastructure to see what was there. I looked at what was existing and thought of improvement. I got in all the vendors and had a meeting with them. I also got in a Cisco vendor and sat down with him and told him about the implementation I wanted. Because of the cost, I didn't change any equipment. So, he did the implementation. At any other place, I would look at the users and implement what is easy for them to manage. For a big enterprise with a whole crew, I would definitely consider Cisco. For any other place, I would go for Fortinet. Cisco is harder to implement and manage, but its stability is good. It is also more expensive. There are other cheaper solutions I would have gone for, but I had to focus on what was existing and improve. I had to make sure I worked with what was existing. We also have Cisco switches.

What it's been configured to do, it does it well. I would rate this solution a nine out of ten.